feat(nifi) Add version 2.7.2, remove 1.27.0 and 2.4.0

nifi/Dockerfile

@@ -107,8 +107,8 @@ COPY --chown=${STACKABLE_USER_UID}:0 nifi/nifi-iceberg-bundle/stackable/patches/
 RUN <<EOF
 mkdir -p /stackable
 
-# NiFI 1.x natively supports Iceberg, no need to build an iceberg-bundle for it
-if [[ "${PRODUCT_VERSION}" != 1.* ]] ; then
+# Only build nifi-iceberg-bundle in case it is needed/supported
+if [[ -n "${NIFI_ICEBERG_BUNDLE_VERSION:-}" ]] ; then
     cd "$(/stackable/patchable --images-repo-root=src checkout nifi/nifi-iceberg-bundle ${NIFI_ICEBERG_BUNDLE_VERSION})"
 
     # Create snapshot of the source code including custom patches

nifi/boil-config.toml

@@ -1,50 +1,36 @@
-[versions."1.27.0".local-images]
-java-base = "11"
-java-devel = "11"
-"shared/logback" = "1.3.14"
-
-[versions."1.27.0".build-arguments]
-git-sync-version = "v4.4.1"
-# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
-# Checkout a Patchable version (patch-series) for the new tag
-nifi-opa-authorizer-plugin-version = "0.3.2"
-
 [versions."1.28.1".local-images]
 java-base = "11"
 java-devel = "11"
-"shared/logback" = "1.3.14"
+"shared/logback" = "1.3.14" # https://github.com/apache/nifi/blob/rel/nifi-1.28.1/pom.xml#L146
 
 [versions."1.28.1".build-arguments]
 git-sync-version = "v4.4.1"
-# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
+# Check for new versions at the upstream: https://github.com/stackabletech/nifi-opa-plugin/tags
 # Checkout a Patchable version (patch-series) for the new tag
-nifi-opa-authorizer-plugin-version = "0.3.2"
+nifi-opa-authorizer-plugin-version = "0.4.0"
 
-[versions."2.4.0".local-images]
+[versions."2.6.0".local-images]
 java-base = "21"
 java-devel = "21"
-"shared/logback" = "1.5.18"
+"shared/logback" = "1.5.18" # https://github.com/apache/nifi/blob/rel/nifi-2.6.0/pom.xml#L156
 
-[versions."2.4.0".build-arguments]
+[versions."2.6.0".build-arguments]
 git-sync-version = "v4.4.1"
-# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
+# Check for new versions at the upstream: https://github.com/stackabletech/nifi-opa-plugin/tags
 # Checkout a Patchable version (patch-series) for the new tag
-nifi-opa-authorizer-plugin-version = "0.3.2"
+nifi-opa-authorizer-plugin-version = "0.4.0"
+
 # Release a new version here: https://github.com/stackabletech/nifi-iceberg-bundle
 # Checkout a Patchable version (patch-series) for the new tag
 nifi-iceberg-bundle-version = "0.0.5"
 
-[versions."2.6.0".local-images]
-java-base = "21"
+[versions."2.7.2".local-images]
+java-base = "21" # As stated in GitHub README
 java-devel = "21"
-"shared/logback" = "1.5.18"
+"shared/logback" = "1.5.24" # https://github.com/apache/nifi/blob/rel/nifi-2.7.2/pom.xml#L167
 
-[versions."2.6.0".build-arguments]
+[versions."2.7.2".build-arguments]
 git-sync-version = "v4.4.1"
-# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
+# Check for new versions at the upstream: https://github.com/stackabletech/nifi-opa-plugin/tags
 # Checkout a Patchable version (patch-series) for the new tag
-nifi-opa-authorizer-plugin-version = "0.3.2"
-
-# Release a new version here: https://github.com/stackabletech/nifi-iceberg-bundle
-# Checkout a Patchable version (patch-series) for the new tag
-nifi-iceberg-bundle-version = "0.0.5"
+nifi-opa-authorizer-plugin-version = "0.4.0"

nifi/opa-plugin/stackable/patches/0.4.0/patchable.toml

@@ -0,0 +1,2 @@
+mirror = "https://github.com/stackabletech/nifi-opa-plugin.git"
+base = "46963de3522d04461c8b21b71629736279b9f653"

nifi/stackable/patches/2.7.2/0001-no-zip-assembly.patch

@@ -0,0 +1,21 @@
+From 2e6ee7afe50f032cde26f9242094fd19c388fea0 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 17:26:20 +0100
+Subject: no zip assembly
+
+---
+ nifi-assembly/pom.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index fa08b8b4af..5db9e3c08f 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->
+                             <tarLongFileMode>posix</tarLongFileMode>
+                             <formats>
+                                 <format>dir</format>
+-                                <format>zip</format>
+                             </formats>
+                         </configuration>
+                     </execution>

nifi/stackable/patches/2.7.2/0002-add-cyclonedx-plugin.patch

@@ -0,0 +1,38 @@
+From 720ac307ebbf577e01c7b0365582284ede86933a Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 17:31:17 +0100
+Subject: add cyclonedx plugin
+
+---
+ pom.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pom.xml b/pom.xml
+index e6fa490bc1..e8a6249f53 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1038,6 +1038,24 @@
+                     </rulesets>
+                 </configuration>
+             </plugin>
++            <plugin>
++                <groupId>org.cyclonedx</groupId>
++                <artifactId>cyclonedx-maven-plugin</artifactId>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                    <skipNotDeployed>false</skipNotDeployed>
++                </configuration>
++                <executions>
++                  <execution>
++                    <phase>package</phase>
++                    <goals>
++                      <goal>makeBom</goal>
++                    </goals>
++                  </execution>
++                </executions>
++            </plugin>
+         </plugins>
+     </build>
+     <profiles>

nifi/stackable/patches/2.7.2/0003-disable-host-port-validation-if-list-of-allowed-host.patch

@@ -0,0 +1,48 @@
+From b8c61bd2e862eef615b2a4c8c2e4aa7d1756e469 Mon Sep 17 00:00:00 2001
+From: Benedikt Labrenz <[email protected]>
+Date: Thu, 22 May 2025 14:47:24 +0200
+Subject: disable host port validation if list of allowed hosts only contains
+ '*'
+
+---
+ .../connector/FrameworkServerConnectorFactory.java  | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
+index 1b28722a3f..72986669d5 100644
+--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
++++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
+@@ -54,6 +54,8 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact
+
+     private final String excludeCipherSuites;
+
++    private final boolean disableHostPortValidator;
++
+     private final Set<Integer> validPorts;
+
+     private SslContextFactory.Server sslContextFactory;
+@@ -72,6 +74,11 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact
+         headerSize = DataUnit.parseDataSize(properties.getWebMaxHeaderSize(), DataUnit.B).intValue();
+         validPorts = getValidPorts(properties);
+
++        // Check if the property for allowed hosts has only the wildcard entry and
++        // if so store this in disableHostPortValidator for later use
++        List<String> configuredHostNames = properties.getAllowedHostsAsList();
++        disableHostPortValidator = configuredHostNames.size() == 1 && configuredHostNames.contains("*");
++
+         if (properties.isHTTPSConfigured()) {
+             if (properties.isClientAuthRequiredForRestApi()) {
+                 setNeedClientAuth(true);
+@@ -102,8 +109,10 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact
+         // Add HostHeaderCustomizer to set Host Header for HTTP/2 and HostHeaderHandler
+         httpConfiguration.addCustomizer(new HostHeaderCustomizer());
+
+-        final HostPortValidatorCustomizer hostPortValidatorCustomizer = new HostPortValidatorCustomizer(validPorts);
+-        httpConfiguration.addCustomizer(hostPortValidatorCustomizer);
++        if (!disableHostPortValidator) {
++            final HostPortValidatorCustomizer hostPortValidatorCustomizer = new HostPortValidatorCustomizer(validPorts);
++            httpConfiguration.addCustomizer(hostPortValidatorCustomizer);
++        }
+
+         return httpConfiguration;
+     }

nifi/stackable/patches/2.7.2/0004-NIFI-14858-Make-SNI-checking-configurable.patch

@@ -0,0 +1,108 @@
+From bad76f4eb8703301b6233d8057e3157305a85e2e Mon Sep 17 00:00:00 2001
+From: Lars Francke <[email protected]>
+Date: Wed, 13 Aug 2025 14:16:55 +0200
+Subject: NIFI-14858: Make SNI checking configurable
+
+Introduces two new properties:
+- nifi.web.https.sni.required (default: false)
+- nifi.web.https.sni.host.check (default: true)
+
+These defaults mean that SNI is not required (this is the current behavior already) but if SNI is provided then the host has to match.
+---
+ .../StandardServerConnectorFactory.java       | 24 +++++++++++++++++++
+ .../org/apache/nifi/util/NiFiProperties.java  | 10 ++++++++
+ .../FrameworkServerConnectorFactory.java      |  4 ++++
+ 3 files changed, 38 insertions(+)
+
+diff --git a/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java
+index 26d09706a1..132973cad5 100644
+--- a/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java
++++ b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java
+@@ -70,6 +70,10 @@ public class StandardServerConnectorFactory implements ServerConnectorFactory {
+
+     private int requestHeaderSize = 8192;
+
++    private boolean sniRequired = false;
++
++    private boolean sniHostCheck = true;
++
+     /**
+      * Standard Server Connector Factory Constructor with required properties
+      *
+@@ -181,6 +185,24 @@ public class StandardServerConnectorFactory implements ServerConnectorFactory {
+         this.requestHeaderSize = requestHeaderSize;
+     }
+
++    /**
++     * Set to true if a SNI certificate is required, else requests will be rejected with 400 response.
++     *
++     * @param sniRequired SNI Required status
++     */
++    public void setSniRequired(final boolean sniRequired) {
++        this.sniRequired = sniRequired;
++    }
++
++    /**
++     * Set to true if the SNI Host name must match when there is an SNI certificate.
++     *
++     * @param sniHostCheck SNI Host Check status
++     */
++    public void setSniHostCheck(final boolean sniHostCheck) {
++        this.sniHostCheck = sniHostCheck;
++    }
++
+     protected Server getServer() {
+         return server;
+     }
+@@ -195,6 +217,8 @@ public class StandardServerConnectorFactory implements ServerConnectorFactory {
+             httpConfiguration.setSendServerVersion(SEND_SERVER_VERSION);
+
+             final SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
++            secureRequestCustomizer.setSniRequired(sniRequired);
++            secureRequestCustomizer.setSniHostCheck(sniHostCheck);
+             httpConfiguration.addCustomizer(secureRequestCustomizer);
+         }
+
+diff --git a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
+index b9456a98a0..45262a8f4f 100644
+--- a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
++++ b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
+@@ -203,6 +203,8 @@ public class NiFiProperties extends ApplicationProperties {
+     public static final String WEB_HTTPS_CIPHERSUITES_INCLUDE = "nifi.web.https.ciphersuites.include";
+     public static final String WEB_HTTPS_CIPHERSUITES_EXCLUDE = "nifi.web.https.ciphersuites.exclude";
+     public static final String WEB_HTTPS_NETWORK_INTERFACE_PREFIX = "nifi.web.https.network.interface.";
++    public static final String WEB_HTTPS_SNI_REQUIRED = "nifi.web.https.sni.required";
++    public static final String WEB_HTTPS_SNI_HOST_CHECK = "nifi.web.https.sni.host.check";
+     public static final String WEB_WORKING_DIR = "nifi.web.jetty.working.directory";
+     public static final String WEB_THREADS = "nifi.web.jetty.threads";
+     public static final String WEB_MAX_HEADER_SIZE = "nifi.web.max.header.size";
+@@ -706,6 +708,14 @@ public class NiFiProperties extends ApplicationProperties {
+         return Arrays.stream(protocols.split("\\s+")).collect(Collectors.toSet());
+     }
+
++    public boolean isWebHttpsSniRequired() {
++        return Boolean.parseBoolean(getProperty(WEB_HTTPS_SNI_REQUIRED, "false"));
++    }
++
++    public boolean isWebHttpsSniHostCheck() {
++        return Boolean.parseBoolean(getProperty(WEB_HTTPS_SNI_HOST_CHECK, "true"));
++    }
++
+     public String getWebMaxHeaderSize() {
+         return getProperty(WEB_MAX_HEADER_SIZE, DEFAULT_WEB_MAX_HEADER_SIZE);
+     }
+diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
+index 72986669d5..993b23889c 100644
+--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
++++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
+@@ -90,6 +90,10 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact
+
+             // Set Transport Layer Security Protocols based on platform configuration
+             setIncludeSecurityProtocols(TlsPlatform.getPreferredProtocols().toArray(new String[0]));
++
++            // Set SNI configuration from properties
++            setSniRequired(properties.isWebHttpsSniRequired());
++            setSniHostCheck(properties.isWebHttpsSniHostCheck());
+         }
+     }
+